What Is a CAPTCHA Re-Riding Attack?
Many web sites want to distinguish whether it is a robot that is reading the site or a human, mostly to avoid the spread of spam. They use a system called CAPTCHA, which is an acronym for Completely Automated Public Turing Test to tell Computers and Humans Apart. The website has distorted text on the page, which can only be read by humans.
There are two types of CAPTCHA, one with a single word and one with two words. They mostly use old type fonts with deliberately introduced distortions to make it almost impossible for any OCR (Optical Character Recognition) to recognize.
Therefore any automated system will not be able to bypass the CAPTCHA test. Websites use CAPTCHA when they want to avoid bogus memberships or hoax accounts. Some of the money related websites use it when creating new accounts.
Some websites may test you with a CAPTCHA if you have entered a wrong password two or three times.
Attackers use the CAPTCHA re-riding attack to bypass the CAPTCHA protection, which the web applications adapt.
In an HTTP session, the code for verifying the CAPTCHA solution sent by the user does not clear it; the attackers may exploit the situation. They use the same CAPTCHA solution to repeatedly send requests to the website.
What Happens During a CAPTCHA Re-Riding Attack?
When a user visits a webpage and requests a registration the website creates an HTTP session, assigns it a session ID, and presents the registration page to the user along with the session ID inside a cookie. The registration page also has a tag, which directs the visitor’s browser to a remote server to retrieve a CAPTCHA to be displayed on the screen.
The visitor’s browser follows the instructions in the tag and sends a request to the remote server for the CAPTCHA. Accordingly, the server creates a new CAPTCHA with a random text and its solution, stores it for the current HTTP session and sends out the CAPTCHA image to the requesting client browser, to be displayed there.
The user solves the CAPTCHA and the browser sends the solution to the server for verification. The server retrieves its own solution from the HTTP session and verifies the solution with that provided by the client.
If the two solutions match, the client is given the clearance to proceed to the next logical step in the registration process; if the visitor’s response doesn’t match the CAPTCHA image, the registration process starts afresh.
During the verification process, the CAPTCHA solution remains inside the HTTP session and it is not cleared for as long as the session is alive. This is true if the verification succeeds and the user is cleared to the next step. If the verification fails, the web applications continue to use the same session ID and the same HTTP session.
The attacker exploits this situation.
The attacker can solve the CAPTCHA and send the solution to the website, recording the submission using a web proxy. Using a custom script, or a tool such as Burp Intruder, he can send this request multiple times.
With each request, he changes the User ID and is able to create multiple new accounts using the same single CAPTCHA solution, thus defeating the very purpose of having the CAPTCHA in the first place.
Instead of directly using them, attackers are exploiting the vulnerabilities to provide tools and data to others for illegal activities.
Using such attacks, millions of harvested emails are often put up for sale, and these contain data related to military, government and intelligence agencies.
How to Prevent a CAPTCHA Re-Riding Attack
Two major steps can prevent CAPTCHA re-riding attacks:
- Never trust emails from unknown recipients offering something you did not request and demanding your information;
- Reset the CAPTCHA solution within the HTTP session as soon as the CAPTCHA verification stage completes.